CA Releases Results of Red-Team Investigation of Voting Machines: All Three Systems Could Be Compromised

Share

CA Releases Results of Red-Team Investigation of Voting Machines: All Three Systems Could Be Compromised

California Secretary of State Debra Bowen just released the results of the state's unprecedented top-to-bottom review of voting systems being used in the state (read here (pdf) for an overview of the Red Team findings). The review consisted of three parts, one of which involved a Red Team led by UC Davis computer scientist Matthew Bishop that was tasked with examining the systems for security vulnerabilities (see this PDF for a description of the Red Team's testing protocol). The team found that it could compromise all three of the top voting systems used in the state made by Diebold Election Systems, Hart Intercivic, and Sequoia Voting Systems, with the caveat that many, but not all, of the attacks they were able to accomplish on the machines could be mitigated with proper physical security of the machines, security training of staff, and contingency planning.

It should be noted that the Red Team stated it did not have enough time to fully examine the systems and was confident that further examination would reveal additional security vulnerabilities in the voting systems. You can read the Red Team reports on the three systems here (all of them are PDFs):

To see if any of these voting systems are used in your state, check out this spreadsheet from Electionline.org. And voters in California can see which systems are used in their county here (pdf). I should note that California uses eight types of voting systems in total, but four of them will not be used in the state after 2008 so the vendors did not submit their system for review and at least one vendor failed to submit its system in time for the review.

Here's a sample of what the team found with the Diebold voting system:

1. Election Management System. The testers were able to penetrate the GEMS server system by exploiting vulnerabilities in the Windows operating system as delivered and installed by Diebold. Once this access was obtained, they were able to bypass theGEMS server to access the data directly. Further, the testers were able to take security-related actions that the GEMS server did not record in its audit logs. Finally, with this level of access, the testers were able to manipulate several components networked to the GEMS server, including loading wireless drivers onto the GEMSserver that could then be used to access a wireless device plugged surreptitiously into the back of the GEMS server.

2. Physical Security. The testers were able to bypass the physical controls on theAccuVote Optical Scanner using ordinary objects. The attack caused the AV-OS unit to close the polls, meaning the machine could not tally ballots at the precinct or inform voters whether they had “over-voted” their ballot. Similarly, the testers were able to compromise the AccuVote TSx completely by bypassing the locks and other aspects of physical security using ordinary objects. They found an attack that will disable the printer used to produce the VVPAT in such a way that no reminders to check the printed record will be issued to voters.

3. AccuVote TSx. The testers found numerous ways to overwrite the firmware in theAccuVote TSx. These attacks could change vote totals, among other results. The testers were able to escalate privileges from those of a voter to those of a poll worker or central count administrator. This enabled them to reset an election, issue unauthorized voter cards, and close polls. No knowledge of the security keys was needed.

4. Security Keys for Cryptography. The testers discovered that a well-known static security key was used by default.

And here's a sample of what the team found with the Sequoia Voting System:

2. Overwriting Firmware. The testers discovered numerous ways to overwrite the firmware of the Sequoia Edge system, using (for example) malformed font files and doctored update cartridges. The general approach was to write a program into memory and use that to write the corrupt firmware onto disk. At the next reboot, the boot loader loaded the malicious firmware. At this point, the attackers controlled the machine, and could manipulate the results of the election. No source code access was required or used for this attack, and a feature of the proprietary operating system on the Edge made the attack easier than if a commercial operating system had been used.

3. Overwriting the Boot Loader. Just as the testers could overwrite firmware on the disk, they could overwrite the boot loader and replace it with a malicious boot loader.This program could then corrupt anything it loaded, including previously uncorrupted firmware.

4. Detecting Election Mode. The firmware can determine whether the system is in test mode (LAT) or not. This means malicious firmware can respond correctly to the pre-election testing and incorrectly to the voters on Election Day.

5. Election Management System. The testers were able to bypass the Sequoia WinEDSclient controlling access to the election database, and access the database directly.They were able to execute system commands on the host computer with access only to the database. Further, the testers were able to exploit the use of the autorun feature to insert a malicious program onto the system running the Sequoia WinEDS client;this program would be able to detect the insertion of an election cartridge and configure it to launch the above attacks when inserted into an Edge.

6. Presence of an Interpreter. A shell-like scripting language interpreted by the Edge includes commands that set the protective counter, the machine’s serial number, modify the firmware, and modify the audit trail.

7. Forging materials. Both the update cartridges and voter cards could be forged.

A second team, led by UC Berkeley computer scientist David Wagner, was responsible for examining the source code of all voting systems used in the state. That report doesn't appear to have been released yet.

The state will hold a public hearing on Monday in Sacramento to discuss the results and take comments from the public. Bowen is expected to release a decision by August 3rd about whether any machines in the state will be decertified. August 3rd is the last date by which the secretary of state can make decisions that will impact voting systems used in 2008.

Here's a sample of the kinds of attacks the team was able to conduct on the Hart Intercivic system:

Election Management System. The testers did not test the Windows systems on which the Hart election management software was installed because Hart does not configure the operating system or provide a default configuration. Hart software security settings provide a restricted, Hart-defined environment that the testers bypassed, allowing them to run the Hart software in a standard Windows environment. They also found an undisclosed account on the Hart software that an attacker who penetrated the host operating system could exploit to gain unauthorized access to the Hart election management database. 2. eScan. The testers were able to overwrite the eScan firmware. The team also accessed menus that should have been locked with passwords. Other attacks allowed the team to alter vote totals; these attacks used ordinary objects. The team, in cooperation with the source code review team, was able to issue administrative commands to the eScan.

3. JBC. The team developed a surreptitious device that caused the JBC to authorize access codes without poll worker intervention. The team verified that the mobile ballot box (MBB) card can be altered during an election. The team also found that post-election safeguards to prevent the altered data on a tampered MBB card from being counted can be easily bypassed.

4. eSlate. The testers were able to remotely capture the audio from a voting session on an eSlate with audio enabled, thereby providing an attack that violates voter privacy.The team was also able to force an eSlate to produce multiple barcodes after printing“BALLOT ACCEPTED” on the VVPAT records. This could cause a county that used bar code readers to read the VVPAT to produce erroneous vote totals.